New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.
OPENCTI LABELS :
fake updates,netsupport rat,infrastructure,fin7,tag-124,7-zip,powernet,maskbat
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks